Port 901 sits in the well-known ports range (0-1023), officially assigned by IANA. But this port tells a story about the gap between formal assignments and how the Internet actually works.
The Official Assignment Nobody Uses
According to IANA, port 901 is officially assigned to "SMPNAMERES" for both TCP and UDP.1 What does SMPNAMERES do? Good question. Even after searching through documentation and technical forums, there's almost no information about this service. It appears in system services files, it has an official assignment, but finding anyone who has actually used it or can explain its purpose is nearly impossible.2
This is not uncommon in the well-known ports range. Many early assignments went to services that never achieved widespread adoption or were replaced by better solutions before they could gain traction.
What Actually Used Port 901
In practice, port 901 became associated with two very different things:
SWAT (Samba Web Administration Tool) — A web-based interface for managing Samba file servers on Linux and Unix systems.3 SWAT listened on port 901 and provided a browser-based way to configure Samba shares, user permissions, and server settings. For years, this was the de facto use of port 901, even though it was never the official IANA assignment.
SWAT made Samba administration more accessible, but it had problems. Running a web interface with administrative privileges created security risks. The tool was eventually deprecated in newer Samba releases and is now largely absent from modern systems.4
The NetDevil Trojan — A backdoor trojan that used port 901 as its default control port.5 NetDevil allowed remote attackers to take complete control of infected Windows systems. It used port 901 for command and control, port 902 for keylogger data exfiltration, and port 903 for file transfers. The malware was prevalent in the early 2000s and became one of the reasons security administrators learned to monitor port 901 for suspicious activity.6
The Security Problem
Port 901 demonstrates why unassigned or little-used ports can become security risks. When a port has no widespread legitimate use, any traffic on it becomes suspicious. But when legitimate tools like SWAT coexist with malware using the same port, detection becomes harder.
SANS Internet Storm Center tracks attack activity on port 901, showing ongoing scanning and exploitation attempts.7 Even though both SWAT and NetDevil are largely obsolete, the port remains on security watchlists.
Other Unofficial Uses
Port 901 has also been observed in use by:
- VMware Virtual Infrastructure Client for management communication8
- Mac OS X RPC-based services like NetInfo9
These uses, like SWAT, were never officially registered with IANA.
Checking What's Listening on Port 901
To see if anything is listening on port 901 on your system:
On Linux/Mac:
On Windows:
If you find something listening on port 901 and you didn't explicitly configure it, investigate immediately. Legitimate modern services rarely use this port.
Why This Port Matters
Port 901 is a case study in the Internet's informal structure. Official assignments don't always reflect reality. Useful tools take over ports regardless of registration. Security tools evolve to deal with both legitimate services and malware using the same ports. And eventually, both the original assignment and the practical uses fade away, leaving only the security concerns.
The well-known ports range was designed to prevent exactly this kind of confusion—stable, registered assignments that everyone could rely on. Port 901 shows what happens when that system breaks down.
Adakah halaman ini membantu?